Discovers and enumerates BACNet Devices collects device information based off
standard requests. In some cases, devices may not strictly follow the
specifications, or may comply with older versions of the specifications, and
will result in a BACNET error response. Presence of this error positively
identifies the device as a BACNet device, but no enumeration is possible.

Discovers bittorrent peers sharing a file based on a user-supplied
torrent file or magnet link. Peers implement the Bittorrent protocol
and share the torrent, whereas the nodes (only shown if the
include-nodes NSE argument is given) implement the DHT protocol and
are used to track the peers. The sets of peers and nodes are not the
same, but they usually intersect.

Discovers servers supporting the ATA over Ethernet protocol. ATA over Ethernet
is an ethernet protocol developed by the Brantley Coile Company and allows for
simple, high-performance access to SATA drives over Ethernet.

Attempts to discover hosts in the local network using the DNS Service
Discovery protocol and sends a NULL UDP packet to each host to test
if it is vulnerable to the Avahi NULL UDP packet denial of service
(CVE-2011-1002).

Listens for the LAN sync information broadcasts that the Dropbox.com client
broadcasts every 20 seconds, then prints all the discovered client IP
addresses, port numbers, version numbers, display names, and more.

Sniffs the network for incoming broadcast communication and
attempts to decode the received packets. It supports protocols like CDP, HSRP,
Spotify, DropBox, DHCP, ARP and a few more. See packetdecoders.lua for more
information.

Sends broadcast pings on a selected interface using raw ethernet packets and
outputs the responding hosts' IP and MAC addresses or (if requested) adds them
as targets. Root privileges on UNIX are required to run this script since it
uses raw sockets. Most operating systems don't respond to broadcast-ping
probes, but they can be configured to do so.

Discovers PPPoE (Point-to-Point Protocol over Ethernet) servers using
the PPPoE Discovery protocol (PPPoED). PPPoE is an ethernet based
protocol so the script has to know what ethernet interface to use for
discovery. If no interface is specified, requests are sent out on all
available interfaces.

Discovers Sonicwall firewalls which are directly attached (not routed) using
the same method as the manufacturers own 'SetupTool'. An interface needs to be
configured, as the script broadcasts a UDP packet.

Discovers Telldus Technologies TellStickNet devices on the LAN. The Telldus
TellStick is used to wirelessly control electric devices such as lights,
dimmers and electric outlets. For more information: http://www.telldus.com/

Retrieves a list of proxy servers on a LAN using the Web Proxy
Autodiscovery Protocol (WPAD). It implements both the DHCP and DNS
methods of doing so and starts by querying DHCP to get the address.
DHCP discovery requires nmap to be running in privileged mode and will
be skipped when this is not the case. DNS discovery relies on the
script being able to resolve the local domain either through a script
argument or by attempting to reverse resolve the local IP.

Discovers servers running the X Display Manager Control Protocol (XDMCP) by
sending a XDMCP broadcast request to the LAN. Display managers allowing access
are marked using the keyword Willing in the result.

CICS transaction ID enumerator for IBM mainframes.
This script is based on mainframe_brute by Dominic White
(https://github.com/sensepost/mainframe_brute). However, this script
doesn't rely on any third party libraries or tools and instead uses
the NSE TN3270 library which emulates a TN3270 screen in lua.

Using the CICS transaction CEMT, this script attempts to gather information
about the current CICS transaction server region. It gathers OS information,
Datasets (files), transactions and user ids. Based on CICSpwn script by
Ayoub ELAASSAL.

Connects to a dictionary server using the DICT protocol, runs the SHOW
SERVER command, and displays the result. The DICT protocol is defined in RFC
2229 and is a protocol which allows a client to query a dictionary server for
definitions from a set of natural language dictionary databases.

Detects and exploits a remote code execution vulnerability in the distributed
compiler daemon distcc. The vulnerability was disclosed in 2002, but is still
present in modern implementation due to poor configuration of the service.

Checks target IP addresses against multiple DNS anti-spam and open
proxy blacklists and returns a list of services for which an IP has been flagged. Checks may be limited by service category (eg: SPAM,
PROXY) or to a specific service name.

Performs a domain lookup using the edns-client-subnet option which
allows clients to specify the subnet that queries supposedly originate
from. The script uses this option to supply a number of
geographically distributed locations in an attempt to enumerate as
many different address records as possible. The script also supports
requests using a given subnet.

Retrieves information from a DNS nameserver by requesting
its nameserver ID (nsid) and asking for its id.server and
version.bind values. This script performs the same queries as the following
two dig commands:
- dig CH TXT bind.version @target
- dig +nsid CH TXT id.server @target

Enumerates various common service (SRV) records for a given domain name.
The service records contain the hostname, port and priority of servers for a given service.
The following services are enumerated by the script:
- Active Directory Global Catalog
- Exchange Autodiscovery
- Kerberos KDC Service
- Kerberos Passwd Change Service
- LDAP Servers
- SIP Servers
- XMPP S2S
- XMPP C2S

This NSE script is used to send a EtherNet/IP packet to a remote device that
has TCP 44818 open. The script will send a Request Identity Packet and once a
response is received, it validates that it was a proper response to the command
that was sent, and then will parse out the data. Information that is parsed
includes Vendor ID, Device Type, Product name, Serial Number, Product code,
Revision Number, as well as the Device IP.

Attempts to enumerate process info over the Apple Remote Event protocol.
When accessing an application over the Apple Remote Event protocol the
service responds with the uid and pid of the application, if it is running,
prior to requesting authentication.

Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow),
a vulnerability discovered by Maksymilian Arciemowicz and Adam "pi3" Zabrocki.
See the advisory at https://nmap.org/r/fbsd-sa-opie.
Be advised that, if launched against a vulnerable host, this script will crash the FTPd.

Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID
69562. This script attempts to exploit the backdoor using the innocuous
id command by default, but that can be changed with the
ftp-proftpd-backdoor.cmd script argument.

Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04
(CVE-2011-2523). This script attempts to exploit the backdoor using the
innocuous id command by default, but that can be changed with
the exploit.cmd or ftp-vsftpd-backdoor.cmd script
arguments.

Checks for a stack-based buffer overflow in the ProFTPD server, version
between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNET_IAC escape
sequence, the proftpd process miscalculates the buffer length, and a remote
attacker will be able to corrupt the stack and execute arbitrary code within
the context of the proftpd process (CVE-2010-4221). Authentication is not
required to exploit this vulnerability.

Attempts to retrieve the server-status page for Apache webservers that
have mod_status enabled. If the server-status page exists and appears to
be from mod_status the script will parse useful information such as the
system uptime, Apache version and recent HTTP requests.

Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by
sending a specially crafted request to the parameter xsd
(OSVDB-59001). By default it will try to retrieve the configuration file of the
Axis2 service '/conf/axis2.xml' using the path
'/axis2/services/' to return the username and password of the
admin account.

Spiders a website and attempts to identify backup copies of discovered files.
It does so by requesting a number of different combinations of the filename (eg. index.bak, index.html~, copy of index.html).

Decodes any unencrypted F5 BIG-IP cookies in the HTTP response.
BIG-IP cookies contain information on backend systems such as
internal IP addresses and port numbers.
See here for more info: https://support.f5.com/csp/article/K6917

Examines cookies set by HTTP services. Reports any session cookies set
without the httponly flag. Reports any session cookies set over SSL without
the secure flag. If http-enum.nse is also run, any interesting paths found
by it will be checked in addition to the root.

Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml)
in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery
attacks and may allow attackers to access sensitive data. This script is useful to detect permissive
configurations and possible domain names available for purchase to exploit the application.

Gets the date from HTTP-like services. Also prints how much the date
differs from local time. Local time is the time the HTTP request was
sent, so the difference includes at least the duration of one RTT.

Attempts to enumerate the hashed Domino Internet Passwords that are (by
default) accessible by all authenticated users. This script can also download
any Domino ID Files attached to the Person document. Passwords are presented
in a form suitable for running in John the Ripper.

Gets the favicon ("favorites icon") from a web page and matches it against a
database of the icons of known web applications. If there is a match, the name
of the application is printed; otherwise the MD5 hash of the icon data is
printed.

Checks for a Git repository found in a website's document root
/.git/<something>) and retrieves as much repo information as
possible, including language/framework, remotes, last commit
message, and repository description.

Attempts to brute force the 8.3 filenames (commonly known as short names) of files and directories in the root folder
of vulnerable IIS servers. This script is an implementation of the PoC "iis shortname scanner".

Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access
secured WebDAV folders by searching for a password-protected folder and
attempting to access it. This vulnerability was patched in Microsoft Security
Bulletin MS09-020, https://nmap.org/r/ms09-020.

Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x
before 4.0.15 to retrieve the target script's source code by sending a HTTP
request with a null byte followed by a .txt file extension (CVE-2010-2333).

Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering.
If an array of paths to check is not set, it will crawl the web server and perform the check against any
password protected resource that it finds.

Finds out what options are supported by an HTTP server by sending an
OPTIONS request. Lists potentially risky methods. It tests those methods
not mentioned in the OPTIONS headers individually and sees if they are
implemented. Any output other than 501/405 suggests that the method is
if not in the range 400 to 600. If the response falls under that range then
it is compared to the response from a randomly generated method.

Spiders a website and attempts to identify open redirects. Open
redirects are handlers which commonly take a URL as a parameter and
responds with a HTTP redirect (3XX) to the target. Risks of open redirects are
described at http://cwe.mitre.org/data/definitions/601.html.

Spiders a web server and displays its directory structure along with
number and types of files in each folder. Note that files listed as
having an 'Other' extension are ones that have no extension or that
are a root document.

Exploits a directory traversal vulnerability existing in several TP-Link
wireless routers. Attackers may exploit this vulnerability to read any of the
configuration and password files remotely and without authentication.

Attempts to obtain information from Trane Tracer SC devices. Trane Tracer SC
is an intelligent field panel for communicating with HVAC equipment controllers
deployed across several sectors including commercial facilities and others.

Spiders a website and attempts to identify output escaping problems
where content is reflected back to the user. This script locates all
parameters, ?x=foo&y=bar and checks if the values are reflected on the
page. If they are indeed reflected, the script will try to insert
ghz>hzx"zxc'xcv and check which (if any) characters were reflected
back onto the page without proper html escaping. This is an
indication of potential XSS vulnerability.

Checks whether a file has been determined as malware by Virustotal. Virustotal
is a service that provides the capability to scan a file or check a checksum
against a number of the major antivirus vendors. The script uses the public
API which requires a valid API key and has a limit on 4 queries per minute.
A key can be acquired by registering as a user on the virustotal web page:

Connects to a VLC Streamer helper service and lists directory contents. The
VLC Streamer helper service is used by the iOS VLC Streamer application to
enable streaming of multimedia content from the remote server to the device.

Executes a directory traversal attack against a ColdFusion
server and tries to grab the password hash for the administrator user. It
then uses the salt value (hidden in the web page) to create the SHA1
HMAC hash that the web server needs for authentication as admin. You can
pass this value to the ColdFusion server as the admin without cracking
the password hash.

An SQL Injection vulnerability affecting Joomla! 3.7.x before 3.7.1 allows for
unauthenticated users to execute arbitrary SQL commands. This vulnerability was
caused by a new component, com_fields, which was introduced in
version 3.7. This component is publicly accessible, which means this can be
exploited by any malicious individual visiting the site.

A vulnerability has been discovered in WNR 1000 series that allows an attacker
to retrieve administrator credentials with the router interface.
Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA

Performs brute force password auditing against the Asterisk IAX2 protocol.
Guessing fails when a large number of attempts is made due to the maxcallnumber limit (default 2048).
In case your getting "ERROR: Too many retries, aborted ..." after a while, this is most likely what's happening.
In order to avoid this problem try:
- reducing the size of your dictionary
- use the brute delay option to introduce a delay between guesses
- split the guessing up in chunks and wait for a while between them

Tests a list of known ICAP service names and prints information about
any it detects. The Internet Content Adaptation Protocol (ICAP) is
used to extend transparent proxy servers and is generally used for
content filtering and antivirus scanning.

Obtains information (such as vendor and device type where available) from an
IKE service by sending four packets to the host. This scripts tests with both
Main and Aggressive Mode and sends multiple transforms per request.

Tries to identify the physical location of an IP address using a
Geolocation Maxmind database file (available from
http://www.maxmind.com/app/ip-location). This script supports queries
using all Maxmind databases that are supported by their API including
the commercial ones.

Generates a flood of Router Advertisements (RA) with random source MAC
addresses and IPv6 prefixes. Computers, which have stateless autoconfiguration
enabled by default (every major OS), will start to compute IPv6 suffix and
update their routing table to reflect the accepted announcement. This will
cause 100% CPU usage on Windows and platforms, preventing to process other
application requests.

Attempts to exploit java's remote debugging port. When remote debugging
port is left open, it is possible to inject java bytecode and achieve
remote code execution. This script abuses this to inject and execute
a Java class file that executes the supplied shell command and returns
its output.

Attempts to exploit java's remote debugging port. When remote
debugging port is left open, it is possible to inject java bytecode
and achieve remote code execution. This script injects and execute a
Java class file that returns remote system information.

Detects the Java Debug Wire Protocol. This protocol is used by Java programs
to be debugged via the network. It should not be open to the public Internet,
as it does not provide any security against malicious attackers who can inject
their own bytecode into the debugged process.

Discovers KNX gateways by sending a KNX Search Request to the multicast address
224.0.23.12 including a UDP payload with destination port 3671. KNX gateways
will respond with a KNX Search Response including various information about the
gateway, such as KNX address and supported services.

Discovers valid usernames by brute force querying likely usernames against a Kerberos service.
When an invalid username is requested the server will respond using the
Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine
that the user name was invalid. Valid user names will illicit either the
TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling
that the user is required to perform pre authentication.

Universal Password enables advanced password policies, including extended
characters in passwords, synchronization of passwords from eDirectory to
other systems, and a single password for all access to eDirectory.

Gathers info from the Metasploit rpc service. It requires a valid login pair.
After authentication it tries to determine Metasploit version and deduce the OS
type. Then it creates a new console and executes few commands to get
additional info.

Connects to an RPA Tech Mobile Mouse server, starts an application and
sends a sequence of keys to it. Any application that the user has
access to can be started and the key sequence is sent to the
application after it has been started.

Queries the Microsoft SQL Browser service for the DAC (Dedicated Admin
Connection) port of a given (or all) SQL Server instance. The DAC port
is used to connect to the database instance when normal connection
attempts fail, for example, when server is hanging, out of memory or
in other bad states. In addition, the DAC port provides an admin with
access to system objects otherwise not accessible over normal
connections.

Lists remote file systems by querying the remote device using the Network
Data Management Protocol (ndmp). NDMP is a protocol intended to transport
data between a NAS device and the backup device, removing the need for the
data to pass through the backup server. The following products are known
to support the protocol:

Retrieves version information from the remote Network Data Management Protocol
(ndmp) service. NDMP is a protocol intended to transport data between a NAS
device and the backup device, removing the need for the data to pass through
the backup server. The following products are known to support the protocol:

Gets the time and configuration variables from an NTP server. We send two
requests: a time request and a "read variables" (opcode 2) control message.
Without verbosity, the script shows the time and the value of the
version, processor, system,
refid, and stratum variables. With verbosity, all
variables are shown.

This NSE script is used to send a FINS packet to a remote device. The script
will send a Controller Data Read Command and once a response is received, it
validates that it was a proper response to the command that was sent, and then
will parse out the data.

Exploits the CVE-2012-3137 vulnerability, a weakness in Oracle's
O5LOGIN authentication scheme. The vulnerability exists in Oracle 11g
R1/R2 and allows linking the session key to a password hash. When
initiating an authentication attempt as a valid user the server will
respond with a session key and salt. Once received the script will
disconnect the connection thereby not recording the login attempt.
The session key and salt can then be used to brute force the users
password.

This NSE script will query and parse pcworx protocol to a remote PLC.
The script will send a initial request packets and once a response is received,
it validates that it was a proper response to the command that was sent, and then
will parse out the data. PCWorx is a protocol and Program by Phoenix Contact.

Retrieves or sets the ready message on printers that support the Printer
Job Language. This includes most PostScript printers that listen on port
9100. Without an argument, displays the current ready message. With the
pjl_ready_message script argument, displays the old ready
message and changes it to the message given.

Detects if naive signing is enabled on a Puppet server. This enables attackers
to create any Certificate Signing Request and have it signed, allowing them
to impersonate as a puppet agent. This can leak the configuration of the agents
as well as any other sensitive information found in the configuration files.

Repeatedly probe open and/or closed ports on a host to obtain a series
of round-trip time values for each port. These values are used to
group collections of ports which are statistically different from other
groups. Ports being in different groups (or "families") may be due to
network mechanisms such as port forwarding to machines behind a NAT.

Determines which Security layer and Encryption level is supported by the
RDP service. It does so by cycling through all existing protocols and ciphers.
When run in debug mode, the script also returns the protocols and ciphers that
fail and any errors that were reported.

Resolves hostnames and adds every address (IPv4 or IPv6, depending on
Nmap mode) to Nmap's target list. This differs from Nmap's normal
host resolution process, which only scans the first address (A or AAAA
record) returned for each host name.

Tests whether Java rmiregistry allows class loading. The default
configuration of rmiregistry allows loading classes from remote URLs,
which can lead to remote code execution. The vendor (Oracle/Sun)
classifies this as a design feature.

Connects to the rpcap service (provides remote sniffing capabilities
through WinPcap) and retrieves interface information. The service can either be
setup to require authentication or not and also supports IP restrictions.

Connects to portmapper and fetches a list of all registered programs. It then
prints out a table including (for each program) the RPC program number,
supported version numbers, port number and protocol, and program name.

Enumerates Siemens S7 PLC Devices and collects their device information. This
script is based off PLCScan that was developed by Positive Research and
Scadastrangelove (https://code.google.com/p/plcscan/). This script is meant to
provide the same functionality as PLCScan inside of Nmap. Some of the
information that is collected by PLCScan was not ported over; this
information can be parsed out of the packets that are received.

Queries Shodan API for given targets and produces similar output to
a -sV nmap scan. The ShodanAPI key can be set with the 'apikey' script
argument, or hardcoded in the .nse file itself. You can get a free key from
https://developer.shodan.io

Attempts to guess username/password combinations over SMB, storing discovered combinations
for use in other scripts. Every attempt will be made to get a valid list of users and to
verify each username before actually using them. When a username is discovered, besides
being printed, it is also saved in the Nmap registry so other Nmap scripts can use it. That
means that if you're going to run smb-brute.nse, you should run other smb scripts you want.
This checks passwords in a case-insensitive way, determining case after a password is found,
for Windows versions before Vista.

Attempts to enumerate domains on a system, along with their policies. This generally requires
credentials, except against Windows 2000. In addition to the actual domain, the "Builtin"
domain is generally displayed. Windows returns this in the list of domains, but its policies
don't appear to be used anywhere.

Pulls a list of processes from the remote server over SMB. This will determine
all running processes, their process IDs, and their parent processes. It is done
by querying the remote registry service, which is disabled by default on Vista;
on all other Windows versions, it requires Administrator privileges.

Enumerates the users logged into a system either locally or through an SMB share. The local users
can be logged on either physically on the machine, or through a terminal services session.
Connections to a SMB share are, for example, people connected to fileshares or making RPC calls.
Nmap's connection will also show up, and is generally identified by the one that connected "0
seconds ago".

Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and
retrieve more information about them using srvsvc.NetShareGetInfo. If access
to those functions is denied, a list of common share names are checked.

Attempts to enumerate the users on a remote Windows system, with as much
information as possible, through two different techniques (both over MSRPC,
which uses port 445 or 139; see smb.lua). The goal of this script
is to discover all user accounts that exist on a remote system. This can be
helpful for administration, by seeing who has an account on a server, or for
penetration testing or network footprinting, by determining which accounts
exist on a system.

Exhausts a remote SMB server's connection limit by by opening as many
connections as we can. Most implementations of SMB have a hard global
limit of 11 connections for user accounts and 10 connections for
anonymous. Once that limit is reached, further connections are
denied. This script exploits that limit by taking up all the
connections and holding them.

Attempts to determine the operating system, computer name, domain, workgroup, and current
time over the SMB protocol (ports 445 or 139).
This is done by starting a session with the anonymous
account (or with a proper user account, if one is given; it likely doesn't make
a difference); in response to a session starting, the server will send back all this
information.

Implements remote process execution similar to the Sysinternals' psexec
tool, allowing a user to run a series of programs on a remote machine and
read the output. This is great for gathering information about servers,
running the same tool on a range of system, or even installing a backdoor on
a collection of computers.

Pulls back information about the remote system from the registry. Getting all
of the information requires an administrative account, although a user account
will still get a lot of it. Guest probably won't get any, nor will anonymous.
This goes for all operating systems, including Windows 2000.

Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code
execution vulnerability (ms17-010, a.k.a. EternalBlue).
The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.

Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer
dereference. This check will crash the service if it is vulnerable and requires a guest account or
higher to work.

Checks for a memory corruption in the Postfix SMTP server when it uses
Cyrus SASL library authentication mechanisms (CVE-2011-1720). This
vulnerability can allow denial of service and possibly remote code
execution.

Checks for a format string vulnerability in the Exim SMTP server
(version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support
(CVE-2011-1764). The DKIM logging mechanism did not use format string
specifiers when logging some parts of the DKIM-Signature header field.
A remote attacker who is able to send emails, can exploit this vulnerability
and execute arbitrary code with the privileges of the Exim daemon.

This script takes a table of paths to private keys, passphrases, and usernames
and checks each pair to see if the target ssh server accepts them for publickey
authentication. If no keys are given or the known-bad option is given, the
script will check if a list of known static public keys are accepted for
authentication.

Detects whether a server is vulnerable to the SSL/TLS "CCS Injection"
vulnerability (CVE-2014-0224), first discovered by Masashi Kikuchi.
The script is based on the ccsinjection.c code authored by Ramon de C Valle
(https://gist.github.com/rcvalle/71f4b027d61a78c42607)

Retrieves a server's SSL certificate. The amount of information printed
about the certificate depends on the verbosity level. With no extra
verbosity, the script prints the validity period and the commonName,
organizationName, stateOrProvinceName, and countryName of the subject.

Reports any private (RFC1918) IPv4 addresses found in the various fields of
an SSL service's certificate. These will only be reported if the target
address itself is not private. Nmap v7.30 or later is required.

This script repeatedly initiates SSLv3/TLS connections, each time trying a new
cipher or compressor while recording whether a host accepts or rejects it. The
end result is a list of all the ciphersuites and compressors that a server accepts.

Sends an ICMPv6 packet with an invalid extension header to the
all-nodes link-local multicast address (ff02::1) to
discover (some) available hosts on the LAN. This works because some
hosts will respond to this probe with an ICMPv6 Parameter Problem
packet.

Attempts to discover available IPv6 hosts on the LAN by sending an MLD
(multicast listener discovery) query to the link-local multicast address
(ff02::1) and listening for any responses. The query's maximum response delay
set to 1 to provoke hosts to respond immediately rather than waiting for other
responses from their multicast group.

Sniffs the local network for a configurable amount of time (10 seconds
by default) and prints discovered addresses. If the
newtargets script argument is set, discovered addresses
are added to the scan queue.

Determines whether the encryption option is supported on a remote telnet
server. Some systems (including FreeBSD and the krb5 telnetd available in many
Linux distributions) implement this option incorrectly, leading to a remote
root vulnerability. This script currently only tests whether encryption is
supported, not for that particular vulnerability.

Compares the detected service on a port against the expected service for that
port number (e.g. ssh on 22, http on 80) and reports deviations. The script
requires that a version scan has been run in order to be able to discover what
service is actually running on each port.

Sniffs an interface for HTTP traffic and dumps any URLs, and their
originating IP address. Script output differs from other script as
URLs are written to stdout directly. There is also an option to log
the results to file.

Detects the Ventrilo voice communication server service versions 2.1.2
and above and tries to determine version and configuration
information. Some of the older versions (pre 3.0.0) may not have the
UDP service that this probe relies on enabled by default.

Tries to log into a VNC server and get its desktop name. Uses credentials
discovered by vnc-brute, or None authentication types. If
realvnc-auth-bypass was run and returned VULNERABLE, this script
will use that vulnerability to bypass authentication.

A library implementing a minor subset of the IMAP protocol, currently the
CAPABILITY, LOGIN and AUTHENTICATE functions. The library was initially
written by Brandon Enright and later extended and converted to OO-form by
Patrik Karlsson <patrik@cqure.net>

By making heavy use of the smb library, this library will call various MSRPC
functions. The functions used here can be accessed over TCP ports 445 and 139,
with an established session. A NULL session (the default) will work for some
functions and operating systems (or configurations), but not for others.

This module is designed to parse the PERF_DATA_BLOCK structure, which is
stored in the registry under HKEY_PERFORMANCE_DATA. By querying this structure, you can
get a whole lot of information about what's going on.

This module was written to marshall parameters for Microsoft RPC (MSRPC) calls. The values passed in and out are based
on structs defined by the protocol, and documented by Samba developers. For detailed breakdowns of the types, take a
look at Samba 4.0's .idl files.

PostgreSQL library supporting both version 2 and version 3 of the protocol.
The library currently contains the bare minimum to perform authentication.
Authentication is supported with or without SSL enabled and using the
plain-text or MD5 authentication mechanisms.

A minimalistic PPPoE (Point-to-point protocol over Ethernet)
library, implementing basic support for PPPoE
Discovery and Configuration requests. The PPPoE protocol is ethernet based
and hence does not use any IPs or port numbers.

This library implements the fundamentals needed to communicate with the
WinPcap Remote Capture Daemon. It currently supports authenticating to
the service using either NULL-, or Password-based authentication.
In addition it has the capabilities to list the interfaces that may be
used for sniffing.

This is the NSE implementation of SLAXML.
SLAXML is a pure-Lua SAX-like streaming XML parser. It is more robust
than many (simpler) pattern-based parsers that exist, properly supporting
code like <expr test="5 > 7" />, CDATA nodes, comments,
namespaces, and processing instructions.
It is currently not a truly valid XML parser, however, as it allows certain XML that is
syntactically-invalid (not well-formed) to be parsed without reporting an error.
The streaming parser does a simple pass through the input and reports what it sees along the way.
You can optionally ignore white-space only text nodes using the stripWhitespace option.
The library contains the parser class and the parseDOM function.

A UPNP library based on code from upnp-info initially written by
Thomas Buchanan. The code was factored out from upnp-info and partly
re-written by Patrik Karlsson <patrik@cqure.net> in order to support
multicast requests.

A library that enables scripts to send Web Service Dynamic Discovery probes
and perform some very basic decoding of responses. The library is in no way
a full WSDD implementation it's rather the result of some packet captures
and some creative coding.